1CO. 


Information Commissioner’s Office 


Enforced subject access (section 56) 


Data Protection Act 

Contents 

THEPOCUICTION icsccccrenanaaceasasandaenanaadansasasdaasanaaaaasaraadaaseraaiaanananiananas 2 
RON acetate nca E E nents aaa meets aude 3 
The criminal OffEN CO... ceeeeeeccessecceceeseeeesseueeeueeeeeeeseeeseeeeeeeeeaaae 2D 
Exceptions and Penallti@s..............ccccccccssssecssssssecssssssesesssrseesssteesessene Gee eee 7 
Relevant PE COPOS ccc taccecsvsiviconsctis ccwdduarnineesaninttaidisaienlbausdeepiddecudubtesnbebe tance as .8 
Other CONSIMEratiONS ... cece cee eesseeseeeeecceceeeeeeceueuesuuuueuuuueeeusueaeeeeeeeess 9 
More inNfOrMation.n........ccccccecccccccccccccecccceseseseueesuuusueuuaaeeeeeeaeceeeeeeeeseueeeueunanae aaa 10 
ANNEX orenen aa oe Eada E E EENE Neend erence EO ECTE T .11 


[Enforced subject access] (section 56) 
20150225 
Version: 1.1 


Introduction 


1. The Data Protection Act 1998 (DPA) is based around eight 
principles of good information handling. These give people 
specific rights in relation to their personal information and 
place certain obligations on those organisations that are 
responsible for processing it. 


2. The DPA also creates a number of criminal offences around how 
personal data is used. An overview of the main provisions of 
the DPA can be found in The Guide to Data Protection. 


3. This is part of a series of guidance, which goes into more detail 
than the Guide, to help data controllers to fully understand 
their obligations and promote good practice. 


4. This guidance explains the criminal offence created under 
section 56 of the DPA, commonly known as enforced subject 
access. 


5. Enforced subject access will typically occur where a person 
wishes to see another individual’s criminal record, but chooses 
not to use the established legal system. 


6. This guidance examines the subsections of section 56 to 
explain how the ICO has interpreted these provisions. 


Overview 





Section 56 of the DPA makes it a criminal offence to require an 
individual to exercise their subject access rights (under section 7 of 
the DPA) to gain access to information about their convictions and 
cautions and provide that information to a person. This may be 
used, for example, to provide as supporting evidence regarding a 
job application or before entering into a contract for goods, facilities 
or services. The law sets out varying levels of fine depending on 
where in the UK the offence has been committed (see paragraph 27 
for more information). 


There is an appropriate way of accessing an individual’s criminal 
records (when it is legitimate to do so) through the criminal records 
disclosure regime. Organisations can request basic checks which 
would divulge unspent convictions, or standard checks, which would 
include spent and certain unspent convictions, cautions, reprimands 
and final warnings (though details of the latter may be filtered out 
in some cases). Enhanced checks would disclose all of the 














information held in a standard check plus certain relevant 
information held by the police on an individual. 


Organisations can make these requests (where it is possible and 
necessary to do so) to: 


° the Disclosure and Barring Service (DBS) in England and 
Wales for standard and enhanced checks; 
e Disclosure Scotland for Scotland and for all Great Britain basic 


checks (Disclosure Scotland do standard, enhanced and Protecting 
Vulnerable Groups Scheme checks (PVG checks) for organisations in 
Scotland); and 

° Access Northern Ireland for Northern Ireland (all basic checks 
for Northern Ireland should be sought from Access Northern 
Ireland). 


An individual providing the results of a subject access request, 
rather than using the appropriate channel set out above, runs the 
risk of greater, and sometimes excessive disclosure. This is 
because a subject access request requires all personal information 
to be disclosed (subject to some exemptions), and does not 
distinguish, for instance, between spent and unspent convictions. 


For more information on subject access requests, read the ICO’s 
Subject access: code of practice. 


Making this type of request is a right set out in the DPA, but there 
is a distinction between someone doing so of their own volition and 
somebody being required to make such a request by someone else. 











The criminal offence 


Subsection 56(1) DPA 


7. Section 56(1) DPA states: 
‘(1) A person must not, in connection with— 
(a) the recruitment of another person as an employee, 
(b) the continued employment of another person, or 


(c) any contract for the provision of services to him by another 
person, 


require that other person or a third party to supply him with a 
relevant record or to produce a relevant record to him.’ 


8. This subsection makes it a criminal offence for a person (this 
can be an individual or a legal person, such as an employer or 
organiser) to require another person (or a third party) to make, 
and provide the results of, a subject access request for a 
‘relevant record’. The use of the words ‘in connection with’ 
mean that this subsection has a broad scope. 


9. The ‘relevant record’ will be a person’s personal data, contained 
within one of the types of information defined in subsection 
56(6) of the DPA. This can be in relation to the recruitment of 
that person as an employee (‘employee’ being defined in 
subsection 56(10) DPA), their continued employment or any 
contract for the provision of goods or services to the person 
imposing the requirement by any other person. 





Example 


An individual applies for a position as a waiter at a restaurant 
but is told that they cannot be offered the position until they 
provide a copy of their criminal record. The employer states 
that they must make a subject access request in order to gain 
this information and they will only be appointed if it is 
supplied. The employer is likely to have committed an offence 
under subsection 56(1)(a) of the DPA. 














Example 


A shop owner decides to extend the size of their premises. A 
local builder submits the successful tender. The shop owner 
requires the builder to confirm whether or not they have ever 
been in prison, before they will allow the work to go ahead, 
explaining that the builder can make a subject access request 
to the Prison Service to do this. In this instance, the 
shopkeeper is committing an offence under subsection of the 
56(1)(c) DPA. 











Subsection 56(2) DPA 


10. Section 56(2) DPA states: 


‘A person concerned with the provision (for payment or not) of 
goods, facilities or services to the public or a section of the 
public must not, as a condition of providing or offering to 
provide any goods, facilities or services to another person, 
require that other person or a third party to supply him with a 
relevant record or to produce a relevant record to him.’ 


11. Itis an offence under subsection 56(2) DPA if a person 
providing goods, facilities or services requires an individual to 
make a subject access request as a condition of providing them 
with goods, facilities or services. 


12. The terms goods, facilities or services are used in their normal 
plain English sense. 


13. Providing the opportunity for individuals to do voluntary work is 
caught by the provision of goods, facilities or services. 





Example 


An individual makes an application for insurance to an 
insurance provider. The individual wants to be provided with a 
service. The insurer agrees to insure the individual but 
explains that it is a condition of the insurance that the 
individual must make a subject access request for their 
criminal record. The insurance company is likely to have 
committed an offence. 














Example 


An individual applies to do voluntary work with a charity. The 
charity explains that the individual can work for them but they 
will first need to exercise their subject access rights and 
provide the charity with their criminal record, before they can 
start. The charity is likely to have committed an offence. 











What does ‘require’ mean? 


14. In relation to section 56 DPA, the ICO takes a broad 
interpretation of the word ‘require’. It has several plain English 
meanings but the most appropriate in this case is ‘to make 


15. 


16. 


17. 


18. 


19. 


necessary’!. This means that a person makes it necessary for 
an individual to make a subject access request and provide 
them with that information before they will, for example, offer 
an individual a job. 


A ‘requirement’ in relation to an enforced subject access 
request should be looked at in a wider context than simply an 
individual not receiving a job if he or she does not make a 
subject access request. 


For instance, it would be considered a requirement if an 
individual would be left in a detrimental position by not making 
a subject access request. Similarly, if making a request is 
incentivised, an individual misses out by not making it. 





Example 


An individual applies for a job and is successful. Their potential 
employer informs them that they will be given the job whether 
or not they make a subject access request for their criminal 
record. However, the potential employer explains that if they 
do not make a subject access request, their annual salary will 
be at a reduced rate than that advertised. This would 
obviously leave the individual in a detrimental position if they 
did not make a subject access request. 











It is the act of ‘requiring’ an individual to make a subject 
access request that is the offence. The requirement is enough, 
and is not dependant on the withdrawal of the offer of 
employment or the provision of goods, facilities or services. 


An individual will have been required to make a subject access 
request if they are given the option to either be subjected to an 
appropriate and lawful criminal records check (through the 
Disclosure and Barring Service (DBS), Disclosure Scotland or 
Access Northern Ireland) or make a subject access request. 


It is worth noting that the cost of making a subject access 
request (usually £10 or sometimes free) is less expensive than 
going through the appropriate criminal record check (which can 
be at least twice as expensive). The act of encouraging or 
incentivising the data subject to use their subject access rights 
to obtain the information would be sufficient to constitute a 
requirement. 


1 http://www.oxforddictionaries.com/definition/english/require 





What does a ‘condition’ mean in this context? 


20. 


In relation to subsection 56(2) of the DPA, the term ‘condition’ 
uses its everyday meaning, ie a situation or state of affairs that 
must exist before something else can exist or be permitted. 
Therefore, the requirement will be a condition where the 
provision of the goods, facilities or services is dependent on the 
subject access request being made. 


Exceptions and penalties 


Subsection 56(3) and (4) DPA 


2i. 


22. 


23. 


24. 


25. 


Subsection 56(3)(a) DPA explains that it will not be a criminal 
offence for a person to request an individual to make a subject 
access request for their personal data if there is another piece 
of legislation which allows this to be done, if any rule of law 
allows it or if a court orders an individual to make a subject 
access request. 


Subsection 56(3)(b) DPA makes an enforced subject access 
request allowable, if that requirement can be justified as being 
in the public interest. Given the importance of subject access 
as acore right within the DPA, and also noting the reference in 
article 8(2) of the EU Charter of Fundamental Rights, there will 
need to be an extremely strong justification for enforced 
subject access to be justified as being in the public interest, 
supported by clear, specific and cogent evidence. 


This may be difficult to achieve as there is already clear public 
policy and laws relating to criminal record checking and 
rehabilitation, which reflect the availability of such information. 


Subsection 56(4) DPA explains that the public interest defence 
provided in subsection 56(3) DPA (ie why requiring a subject 
access request to be made is in the public interest) cannot be 
used as a defence when the justifying argument is that the 
public interest relates to the prevention or detection of crime. 


This is because Part V of the Police Act 1997 defines in what 
circumstances certain types of criminal records check can be 
made. Given that the Police Act 1997 outlines the 
circumstances for criminal records checking, it is not possible 
to justify enforced subject access on the basis that it would 
assist with the prevention or detection of crime. 


Subsection 56(5) DPA 


26. This subsection confirms that an individual who requires 
someone to make a subject access request is committing a 
criminal offence. This is an offence which can be heard either 
by a magistrates court or a crown court, in England, Wales and 
Northern Ireland. In Scotland it will be heard in a sheriff court. 
Committing such an offence in England and Wales can carry an 
unlimited fine, while in Scotland the fine can be unlimited if 
heard under solemn procedure or £10,000. In Northern 
Ireland, the maximum fine if convicted under a summary 
offence is £5000, or if convicted on indictment the maximum 
fine is unlimited (unless expressly limited by statute). 


27. Any ICO prosecutions will be carried out in line with the ICO 
prosecution policy statement. 


Relevant records 


Subsection 56(6), (6A) and (7) DPA 


28. These subsections describe what is considered to be a ‘relevant 
record’. Subsection 56(6)(a) explains, in relation to the 
adjoining table, the list of data controllers who can hold a 
‘relevant record’ (the left hand column of the table). Subsection 
56(6)(b) DPA explains the type of information to which a 
relevant record can relate eg criminal convictions (the right 
hand column of the table). A copy of the table is available in 
the annex. 


29. Subsection 56(6A) DPA explains that where a subject access 
request is made for information which is purely information 
that is category ‘(e)’ data (as defined under section 1 DPA), 
this is not a request for a relevant record. Category ‘(e)’ data 
does not constitute a relevant record under section 56 DPA. It 
follows that this could not be considered as an enforced 
request. 


30. Subsection 56(7) DPA explains the definitions of ‘caution’ and 
‘conviction’ in relation to the table found under subsection 
56(6) DPA. 


Subsection 56(9) DPA 


31. This subsection explains that a subject access request is still 
considered as enforced even if the response states that no 
information is being processed about an individual. Such a 
response reveals information in itself, and the act of requiring 


is enough to be an offence under section 56 DPA, as mentioned 
previously. 


Subsection 56(10) DPA 


32. 


This subsection defines what an employee is for the purposes 
of section 56 DPA. It explains that it can be an individual who 
works under a contract of employment under section 230(2) of 
the Employment Rights Act 1996 or someone who holds any 
office, whether or not the individual is entitled to payment for 
their position. 


Other considerations 


33. 


34. 


35. 


This guidance makes it clear that making an enforced subject 
access request is a criminal offence and should not be done. A 
person may seek access to an individual’s criminal past using 
the criminal records regime set out in the Police Act 1997, 
where the regime allows them to do so. Individuals may also 
apply for a ‘Basic Check’ disclosure of their own record by 
applying to Disclosure Scotland or Access Northern Ireland. 


Organisations should consider if they have a good reason for 
requesting a criminal records check. Once they have this 
information, they will then be a data controller for sensitive 
personal data with all the compliance responsibilities found 
under the DPA. 


If it is necessary to do so, detailed standard and enhanced 
criminal record checks can be done through the appropriate 
statutory procedures (DBS in England and Wales, Disclosure 
Scotland in Scotland and Access Northern Ireland in Northern 
Ireland). 


More information 


37. 


38. 


Further information on other parts of the DPA is available on 
our guidance pages 


As this guidance has been developed by drawing on ICO 
experience, it may provide more detail on issues that are often 
referred to the Information Commissioner than on those we 
rarely see. The guidance will be reviewed and considered from 
time to time in line with new decisions of the Information 
Commissioner, Tribunals and courts. 


39. It is a guide to our general recommended approach, although 


40. 


Annex 


individual cases will always be decided on the basis of their 
particular circumstances. 


If you need any more information about this or any other 
aspect of data protection, please contact us, or visit our 
website at www.ico.org.uk. 


Section 56 DPA 








56 Prohibition of requirement as to production of 
certain records 


(1) A person must not, in connection with-- 
(a) the recruitment of another person as an employee, 
(b) the continued employment of another person, or 


(c) any contract for the provision of services to him by 
another person, 


require that other person or a third party to supply him with 
a relevant record or to produce a relevant record to him. 


(2) A person concerned with the provision (for payment 
or not) of goods, facilities or services to the public or a 
section of the public must not, as a condition of providing or 
offering to provide any goods, facilities or services to 
another person, require that other person or a third party to 
supply him with a relevant record or to produce a relevant 
record to him. 


(3) Subsections (1) and (2) do not apply to a person who 
shows-- 


(a) that the imposition of the requirement was required 
or authorised by or under any enactment, by any rule of 
law or by the order of a court, or 


(b) that in the particular circumstances the imposition 
of the requirement was justified as being in the public 
interest. 














(4) Having regard to the provisions of Part V of the Police 
Act 1997 (certificates of criminal records etc), the imposition 
of the requirement referred to in subsection (1) or (2) is not 
to be regarded as being justified as being in the public 
interest on the ground that it would assist in the prevention 
or detection of crime. 


(5) A person who contravenes subsection (1) or (2) is 
guilty of an offence. 


(6) In this section "a relevant record" means any record 
which-- 


(a) has been or is to be obtained by a data subject from 
any data controller specified in the first column of the 
Table below in the exercise of the right conferred by 
section 7, and 


(b) contains information relating to any matter specified 
in relation to that data controller in the second column, 


and includes a copy of such a record or a part of sucha 
record. 


TABLE 
Data controller Subject-matter 
1 Any of the following (a) Convictions. 
persons-- 
(a) a chief officer of (b) Cautions. 


police of a police force in 

England and Wales. 

(b) the chief constable 

of the Police Service of 

Scotland. 

(c) the Chief Constable 

of the Police Service of 

Northern Ireland. 

(d) the Director General 

of the National Crime 

Agency. 

2 The Secretary of State. (a) Convictions. 
(b) Cautions. 
(c) His functions under 
section 92 of the Powers of 
Criminal Courts (Sentencing) 
Act 2000, section 205(2) or 
208 of the Criminal 
Procedure (Scotland) Act 








3 The Department of 


for Northern Ireland. 


4 Disclosure and Barring 
Service. 


5 The Scottish Ministers. 





Health and Social Services 


1995 or section 73 of the 
Children and Young Persons 
Act (Northern Ireland) 1968 
in relation to any person 
sentenced to detention. 

(d) His functions under the 
Prison Act 1952, the Prisons 
(Scotland) Act 1989 or the 
Prison Act (Northern Ireland) 
1953 in relation to any 
person imprisoned or 
detained. 

(e) His functions under the 
Social Security Contributions 
and Benefits Act 1992, the 
Social Security 
Administration Act 1992, the 
Jobseekers Act 1995, Part 1 
of the Welfare Reform Act 
2007 or Part 1 of the 
Welfare Reform Act 2012. 
(f) His functions under Part 
V of the Police Act 1997. 


Its functions under the 
Social Security Contributions 
and Benefits (Northern 
Ireland) Act 1992, the Social 
Security Administration 
(Northern Ireland) Act 1992, 
the Jobseekers (Northern 
Ireland) Order 1995 or Part 
1 of the Welfare Reform Act 
(Northern Ireland) 2007. 

(a) Its functions under the 
Safeguarding Vulnerable 
Groups Act 2006 [or the 
Safeguarding Vulnerable 
Groups (Northern Ireland) 
Order 2007. 

(b) Its functions under 
Part 5 of the Police Act 
1997. 

Their functions under Parts 1 
and 2 of the Protection of 
Vulnerable Groups 


(Scotland) Act 2007 (asp 











14). 


(6A) A record is not a relevant record to the extent that 
it relates, or is to relate, only to personal data falling within 
paragraph (e) of the definition of "data" in section 1(1). 


(7) In the Table in subsection (6)-- 


"caution" means a caution given to any person in England 
and Wales or Northern Ireland in respect of an offence 
which, at the time when the caution is given, is admitted; 


"conviction" has the same meaning as in the Rehabilitation 
of Offenders Act 1974 or the Rehabilitation of Offenders 
(Northern Ireland) Order 1978. 


(8) The Secretary of State may by order amend-- 
(a) the Table in subsection (6), and 
(b) subsection (7). 


(9) For the purposes of this section a record which states 
that a data controller is not processing any personal data 
relating to a particular matter shall be taken to be a record 
containing information relating to that matter. 


(10) In this section "employee" means an individual who- 


(a) | works under a contract of employment, as defined 
by section 230(2) of the Employment Rights Act 1996, or 


(b) holds any office, 


whether or not he is entitled to remuneration; and 
"employment" shall be construed accordingly. 








